Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16796

The file permission for pod specification files of the kube-apiserver should be updated to 600 to conform with CIS benchmarks

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Normal
    • None
    • 4.14.0
    • kube-apiserver
    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

       

      Observation from CISv1.4 pdf:
      1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive
      
      
      
      “Ensure that the API server pod specification file has permissions of 600 or more restrictive.
      OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server.
      The OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd.
      The Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 600.”
       
      To conform with CIS benchmarksChange, the pod specification file for the kube-apiserver /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml  files should be updated to 600.
      
      $ for i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )
      do                 
      oc exec -n openshift-kube-apiserver $i -- \
      stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml
      done
      644
      644
      644
      

       

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-07-20-215234

      How reproducible:

      Always

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      The permission of the pod specification file for the kube-apiserver is 644.

      Expected results:

      The permission of the pod specification file for the kube-apiserver should be updated to 600.

      Additional info:

      PR: https://github.com/openshift/library-go/commit/19a42d2bae8ba68761cfad72bf764e10d275ad6e

       

      Attachments

        Issue Links

          Activity

            People

              dgrisonn@redhat.com Damien Grisonnet
              xiyuan@redhat.com Xiaojie Yuan
              Rahul Gangwar Rahul Gangwar
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: